PHP.net confirms server breach after Google flags them for malware

It's unknown how many users may have been infected by the rogue JavaScript, but PHP.net says the malicious code was active from October 22, until it was discovered and removed on October 24.

Hours after Google's Safe Browsing initiative flagged the website for malware, PHP.net confirmed that two of their servers were compromised and used to attack visitors. However, the administrators are still not sure how the attackers accessed the servers.

The admission follows a lengthy debate over whether or not Google incorrectly flagged the domain, and after several people connected to PHP.net said they could find nothing malicious about the file in question, a JavaScript that was determined to have been altered in order to embed malicious iFrames.

According to Google's initial report on Thursday, there were only four pages on PHP.net serving the malicious JavaScript file (userprefs.js), which was modified with seemingly selective obfuscated code that targeted desktop users, but ignored those on mobile devices. However, the stance that Google was wrong in their assessments has since changed:

"... the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net. The method by which these servers were compromised is unknown at this time," a status update on PHP.net explained.

Further, the SSL certificate used on PHP.net was revoked out of caution, and a new one was assigned a short time after. All affected services on the two compromised servers have been migrated, and it has been confirmed that the Git repository was not compromised.

Additional research from Trustwave's Spider Labs confirmed the Shockwave (Flash) exploit attempt, but they also discovered that the script was targeting CVE-2013-2551, an Internet Explorer flaw discovered by exploit clearinghouse VUPEN during this year's Pwn2Own competition at CanSecWest.

It's unknown how many users may have been infected by the rogue JavaScript, but PHP.net says the malicious code was active from October 22, until it was discovered and removed on October 24. The attack window is small, but PHP.net is in the top 250 domains on the Internet, according to Alexa rankings, so the pool of potential victims is massive.

PHP.net user accounts will have their passwords reset over the next few days, if the account is used to commit code to any projects. A full post-mortem of the incident is expected sometime next week.